Cisco's $28 billion purchase of Splunk was the biggest story, but other security majors made strategic acquisitions as well in a better-than-expected quarter.

Cisco's massive $28 billion acquisition of Splunk in September was the financial highlight of a quarter during which several other vendors also made strategic purchases to position themselves for emerging enterprise requirements around cloud, application and identity security.

The acquisitions added to a better-than-expected quarter ended Sept. 30, 2023, with venture funding too picking up steam after a slowdown earlier this year following the collapse of Silicon Valley Bank. IPO activity showed early signs of a revival for the first since late 2021 as well and provided further evidence of the resilience of the sector against economic conditions that have roiled other verticals.

Security segments that witnessed the most activity included services, security consulting, application GRC, security operations and identity and access management.

**Reasonable Valuations Drive Acquisition Interest**

The third-quarter's M&A activity continued a gradual consolidation of the security industry as big players got bigger through acquisitions and smaller players looked for opportunities to make profitable exits.

"It appears to have been quite an active quarter, even without Cisco’s $28bn acquisition of Splunk, and there are some good reasons for this," says Rik Turner an analyst at Omdia. With IPO activity still not fully revived, some venture capital firms are looking for quicker exits, resulting in a lot of cybersecurity companies being available at reasonable prices. "That’s why there are currently stories circulating about the likes of Dig and Talon being in negotiation to be acquired by Palo Alto, for instance. Even SentinelOne—which is currently public--is also said to be on the hunt for an acquirer," Turner says.

Cisco's purchase of Splunk positioned the company as one of the industry's foremost players in the next generation SIEM market, a cloud and analytics-driven alternative to traditional security information and event management technologies.

The acquisition—Cisco's largest ever—was one of more than half-a-dozen purchases the company has made this year to insert itself into multiple hot cybersecurity segments. Others include identity management vendor Oort, AI/ML software vendor Armorblox, network performance monitoring vendor Acedian and cloud security vendors Lightspin and Valtix.

**A Gradual Reshaping of the Industry**

Cisco was not alone in its attempts to buy its way into lucrative and emerging security segments. Q3, 2023 had several other vendors making similar moves. The most prominent among them were CrowdStrike's purchase of application security posture management vendor Bionic for a report $350 million; Check Point's forking out of some $490 million for secure remote access vendor Perimeter 81; Thales' $3.6 billion acquisition of Imperva in July and Tenable's $265 million cash and restricted stock purchase of cloud native application protection platform vendor Ermetic.

"Strategic technology buyers are actively looking to round up their offerings by acquiring innovative solutions and teams with the subject matter expertise that will help them stay relevant and competitive in emerging market segments," says Alberto Yépez managing director of Forgepoint Capital. "Sponsors are also actively looking for acquisitions that will help them add capabilities to the platform companies they own in order to expand their addressable market and increase their rate of growth."

Yépez identified the managed security services market as a segment that garnered considerable interest from acquisition hunters last quarter—and through the year in general. Much of the activity was in response to growing demand for security services from companies that were either struggling to find professionals or were looking to outsource the security function to others.

"We expect more activity in this segment in the next four to six quarter. It is primed for consolidation," he says. M&A activity so far this year suggests that cloud security and compliance are sectors with lots of potential for consolidation given how overcrowded the segments are with emerging companies, Yépez notes.

Momentum Cyber recorded a total of 63 M&A deals in Q3, 2023 with a total disclosed value of $34.9 billion. Of those, eight involved transactions of $100 million or more. Active M&A sectors in Q3 2023 according to Momentum included security consulting and services, managed security services, security operations, incident response, threat intel and identity and access management.

"While the majority of 2023 has centered around continued headwinds in a difficult market, strategic activity did see an uptick in deal volume across both M&A and financing toward the back half of Q3," says Momentum analyst John Gould. Momentum anticipates the trend will continue into 2024. "Strategic investors are becoming more opportunistic in M&A markets as evidenced by a number of key deals this past quarter," Gould says.

**Investment Activity Showed Signs of a Rebound**

Activity in the third quarter also suggested that investors are finally putting the disruption caused by Silicon Valley Bank's spectacular collapse in March, behind them.

All signs point to total venture funding in cybersecurity hitting $10 billion in 2023, matching the record setting year of 2020 says Richard Stiennon, chief research analyst at IT-Harvest. That total is less than half of the all-time record of $24 billion in 2021, he says. But "considering the failure of Silicon Valley Bank early in the year and the devastating impact that had on VCs, investments are not too shabby," Stiennon says.

IT-Harvest's data showed there was some $7.5 billion invested through the end of September in the cybersecurity sector with the GRC segment—once again—attracting the most investments at $1.6 billion. At the other end of the spectrum was the API security segment with just four investments totaling a paltry $15.9 million so far this year and email security with an even smaller $12.2 million in investor funding.

Investments activity in Q3, 2023 included some big rounds such as the $238 million that Cato Networks raised in equity investment in September. The financing round valued Cato at $3 billion and bought to $773 million in total that the secure access service edge technology provider has raised so far. Cato is one of several companies in the third quarter that hinted at going public in the near term Stiennon says. "There are signs of life on Wall Street with companies like Palo Alto Networks, CrowdStrike, and Zscaler up 63% to 95% from their lows on January 6," he notes.

Other major investments that Momentum tracked in the third-quarter included OneTrust's $150 million later stage venture capital raise in July, SpyCloud's $110 million growth round in August, Resilience's $100 million Series D round and Nord Security's $100 million growth raise in September.

"IPO rumors are also heating up for the first time in a while going into 2024," Gould says. "Later-stage security startups including Cato Networks and Rubrik have been rumored to be considering going public next year as the market looks to rebound from a dead period in traditional IPO activity since late 2021," he says.

Reasonable Valuations Drove Mergers and Acquisition Activity in Q3, 2023

The latest NIST Cybersecurity Framework draft highlights four major themes that organizations should pay attention to for managing risk.

Global cyberattacks have risen sharply over the last few years, increasing by 38% in 2022, according to Check Point. Combine this with the increasing cost of a data breach, averaging $9.44 million in the US and $4.25 million globally in 2022, preventing cyberattacks is at the top of everyone's mind going into 2024.

In early August, the National Institute of Standards and Technology (NIST) shared an update to its Cybersecurity Framework (CSF). The new draft reflects its inclusive and responsive attitude towards risk management for mitigating the cost and frequency of cyberattacks. As the gold standard for building a cybersecurity program and reducing cyber-risk, CSF 2.0 includes feedback from Fortune 500 companies on the front lines of cyberattacks.

To help enterprises keep up with the ever-evolving cyber threat landscape, NIST highlights the following four major themes that have direct business impacts on managing risk. Chief information security officers (CISOs) should keep the following principles in mind as they work to help secure their organizations and reduce cybersecurity risk in 2024.

**Emphasize Continuous and Quantitative Risk Assessment**

Continuous risk assessment is the cornerstone of a robust cybersecurity program. It is crucial for improving risk posture, enabling organizations to understand their most critical IT assets, the threats affecting them, security weaknesses, and the likelihood of these weaknesses getting exploited. Further, the Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations conduct cyber-risk assessments regularly to better understand their security posture. And the benefits of these regular assessments can include improving cyber resiliency and meeting cyber insurance requirements.

For organizations looking to implement near real-time risk assessment, automation and artificial intelligence (AI)-based tools are critical for keeping up with the sheer volume of risks. As bad actors begin to use AI for harm, it is critical to learn how to use it for good. Such tools enable enterprises to discover assets, prioritize vulnerabilities, and define the likelihood and potential impact of risks to organizations even as the attack surface evolves.

This recommendation in the NIST updated framework further refines CISOs' deep understanding of the complexities associated with cybersecurity risk measurement. However, the continuous risk assessment process is not up to the CISO alone; investments and buy-in must span all departments of the organization. The entire organization must view this as a means to better use the data it takes in.

**Prioritize Continuous Improvement**

Creating a culture of continuous improvement is more than just a concept. It emphasizes that cybersecurity isn't _just_ about implementing the next incremental category or subcategory recommended by NIST; it's a journey towards adopting a holistic stance with organization-wide support. For example, the software you patched and secured yesterday may be vulnerable to a new exploit today. So, constant adaptation and improvement are essential to keeping all your surfaces free from attacks that can pop up in a moment's notice.

NIST's updated draft embraces this attitude by introducing a new Improvement category in the Identify function. The draft also includes updates to definitions of the implementation tiers and additional factors, including cybersecurity risk management, governance, and third-party risks. This showcases a more holistic approach to managing risk.

**Strengthen Supply Chain Risk Management**

Attacks on the supply chain have become a focal point for bad actors over the past few years. Look no further than the SolarWinds attack and the Log4j exploitation. And there aren't any signs of a slowdown, as Gartner predicts that 45% of global organizations will be impacted by a supply chain attack by 2025. These attacks prove that most organizations struggle to create a software bill of materials (SBOM) for their in-use applications, which produces a gap in protection.

In the updated draft, NIST addresses supply chain risk management by warning organizations that agility and accuracy matter. The draft includes an example of contractually requiring suppliers to provide and maintain a component inventory, which could also be described as an SBOM. When so much of your organization's operations depend on the supply chain remaining intact, you must bring precision to the forefront of risk management to better stay ahead of any incoming attack.

**Enhance Implementation Examples**

While the first draft of the NIST framework included some suggested implementation examples, there were not enough. By adding additional examples, organizations looking to NIST for cybersecurity guidance have additional resources to apply best practices mentioned in the framework. Having as many practical application examples as possible provides CISOs and other security leaders with clear, actionable steps to implement better security measures.

The additional examples included in the updated draft can empower organizations looking to NIST for guidance on cybersecurity to apply best practices. The inclusion of the additional implementation angles shows that NIST is interested in creating a more functional, real-word, and responsive cybersecurity management process.

With increasing complexity and tools sprawl, the ever-expanding attack surface, and increasing regulatory pressures, automated and AI-powered tools that provide a single pane of glass view will be critical. This updated framework provides actionable steps for CISOs to adapt and better align their organization with the dynamic nature of the cybersecurity landscape for 2024 and beyond.

Reassessing the Impacts of Risk Management With NIST Framework 2.0

Threat intel experts see a reduced focus on desktop malware as threat groups prioritize passwords and tokens that let them access the same systems as remote workers.

Every day more than 8,000 Microsoft threat intelligence experts, researchers, analysts, and threat hunters analyze trillions of daily signals to uncover emerging threats and deliver timely, relevant security insights. 

While a good portion of this work is dedicated to threat actors and the infrastructure that enables them, we also focus on nation-state groups to contextualize their activities within the broader scope of geopolitical trends. This is critical in uncovering the "why" behind criminal activity, as well as preparing and protecting vulnerable audiences who may become the target of future attacks.

Read on to learn more about how Chinese nation-state tactics, techniques and procedures (TTPs) and threat activity have evolved over time.

**Adapting Is the Name of the Game**

As with most global industry sectors, COVID-19 led to a number of changes within the Chinese cyber-espionage landscape. The near-overnight shift in the number of employees working from their offices to their individual homes meant companies had to enable remote access to sensitive systems and resources that were previously restricted to corporate networks. In fact, one study found that telework jumped from 5% to 50% of paid US work hours between April and December 2020. Threat actors took advantage of this change by attempting to blend in with the noise, masquerading as remote workers in order to access these resources.

Additionally, because enterprise access policies had to be deployed so quickly, many organizations didn't have adequate time to research and review best practices. This created a gap for cybercriminals, enabling them to exploit system misconfigurations and vulnerabilities. 

As a consequence of this trend, Microsoft threat intelligence experts are seeing fewer instances of desktop malware. Instead, threat groups appear to be prioritizing passwords and tokens that enable them to access sensitive systems used by remote workers.

For example, Nylon Typhoon (formerly NICKEL) is one of the many threat actors that Microsoft tracks. Originally founded in China, Nylon Typhoon leverages exploits against unpatched systems to compromise remote access services and appliances. Once the nation-state actor achieves a successful intrusion, it uses credential dumpers or stealers to obtain legitimate credentials, access victim accounts, and target higher-value systems. 

Recently, Microsoft observed a threat group believed to be Nylon Typhoon conducting a series of intelligence collection operations against China's Belt and Road Initiative (BRI). As a government-run infrastructure project, this incident activity likely straddled the line between traditional and economic espionage.

**Common TTPs Deployed by Chinese Nation-State Groups**

One significant trend that we've observed coming out of China is the shifting focus from user endpoints and custom malware to concentrated resources that exploit edge devices and maintain persistence. Threat groups successfully using these devices to gain network access can potentially remain undetected for a significant period of time.

Virtual private networks (VPNs) are one significant target. Although organizations have begun to implement more stringent security measures, such as tokens, multifactor authentication, and access policies, cybercriminals are adept at navigating these defenses. VPNs are an attractive target because, when compromised successfully, they eliminate the need for malware. Instead, threat groups can simply grant themselves access and log in as any user.

Another rising trend is the use of Shodan, Fofa, and similar databases that scan the Internet, catalog devices, and identify different patch levels. Nation-state groups will also conduct their own Internet scans to uncover vulnerabilities, exploit devices, and, ultimately, access the network. 

This means organizations have to do more than just device patching. An effective solution involves inventorying your Internet-exposed devices, understanding your network perimeters, and cataloging device patch levels. Once that has been achieved, organizations can focus on establishing a granular logging capability and monitoring for anomalies.

As with all cybersecurity trends, nation-state activity is ever-evolving, and threat groups are growing more sophisticated in their attempts to compromise systems and enact damage. By understanding the attack patterns of these nation-state groups, we can better prepare ourselves to defend against future threats.

_— Read more_ _Partner Perspectives from Microsoft Security__._

A Frontline Report of Chinese Threat Actor Tactics and Techniques

NB Defense, ModelScan, and Rebuff, which detect vulnerabilities in machine learning systems, are available on GitHub.

Protect AI, maker of Huntr, a bug-bounty program for open source software (OSS), is venturing further into the OSS world by licensing three of its artificial intelligence/machine learning (AI/ML) security tools under the permissive Apache 2.0 terms.

The company developed the first tool, NB Defense, to protect ML projects being developed in Jupyter Notebooks, a common application favored by data scientists. As it became widely used, hackers began targeting Jupyter because of the power inherent in a tool meant to test code and packages. In response, Protech AI developed NB Defense, a pair of tools for scanning Notebooks for vulnerabilities, such as secrets, personally identifiable information (PII), CVE exposures, and code subject to restrictive third-party licenses. The JupityrLab extension finds and fixes security issues within a Notebook, whereas the CLI tool enables scanning of multiple Notebooks simultaneously and automatic scanning of those being uploaded to a central repository.

The second tool, ModelScan, originated from the need for teams to share ML models across the Internet, as more companies are developing AI/ML tools for internal use. ModelScan scans Pytorch, Tensorflow, Keras, and other formats for model serialization attacks,such as credential theft, data poisoning, model poisoning, and privilege escalation (wherein the model is weaponized to attack other company assets).

The third tool, Rebuff, was an existing open source project that Protect AI acquired in July and has continued developing. Rebuff addresses prompt injection (PI) attacks, in which an attacker sends malicious inputs to large language models (LLMs) in order to manipulate outputs, expose sensitive data, and allow unauthorized actions. The self-hardening prompt injection detection framework employs four layers of defense: heuristics, which filters out potentially malicious input before it reaches the model; a dedicated LLM, which analyzes incoming prompts to identify potential attacks; a database of known attacks, which helps it recognize and fend off similar attacks later on; and canary tokens, which modify prompts to detect leaks.

The spread of AI and LLMs across organizations of various sizes has led to a similar rise in tools to secure — or attack — such models. For example, HiddenLayer, this year's winner of the RSA Conference Innovation Sandbox, made securing those models against tampering its mission. In 2021, Microsoft released a security framework and its own open source tools for protecting AI systems against adversarial attacks. And the flaws just announced in TorchServe underscore the real-world stakes for even the biggest players, such as Walmart and the three major cloud service providers.

All three of Protect AI's tools — NB Defense, ModelScan, and Rebuff — are available on GitHub.

Protect AI Releases 3 AI/ML Security Tools as Open Source

Financial services organizations migrating applications to the cloud need to think about cloud governance, applying appropriate policies and oversight, and compliance and regulatory requirements.

When it comes to financial services moving securely to the cloud, there are several important considerations. Secure cloud usage first starts with secure use of the cloud by the financial services industry, including secure configurations, resiliency, and using pipelines that ensure consistent guardrails for developers, infrastructure teams, and security teams. This is layered on top of a secure foundation from cloud service providers. Additionally, there are compliance and regulatory requirements that must be met in order to demonstrate the effectiveness of the security measures in place.

Key areas to consider:

*   Business objectives and risk appetite
*   Oversight and governance of the cloud program
*   Threat and compliance-driven security controls
*   Continuous monitoring and drift detection
*   Talent
*   Culture

When migrating to the cloud, every organization must think about how they'll govern the process. This includes applying appropriate policies and oversight, as well as implementing technical controls. It is crucial to approach this from a threat-driven perspective, considering the various threat actors that may try to compromise security practices and policies.

**Cloud Governance is Key**

For financial services, cloud governance is essential. Cloud governance is a set of policies and procedures that help organizations manage their cloud computing resources effectively. It is important to establish a clear cloud governance structure before moving to the cloud, as it helps ensure that cloud resources are used securely and efficiently. This requires an organizational, operational, and technological approach to assist financial services in leveraging the cloud.

There are three lines of governance that are important for cloud governance:

*   **First line of governance:** This is responsible for the day-to-day management of cloud resources. It typically includes IT teams, development teams, cybersecurity, and DevOps teams.
*   **Second line of governance:** This is responsible for overseeing the first line of governance and ensuring that cloud resources are being managed in accordance with organizational policies and procedures. It typically includes audit and risk teams.
*   **Third line of governance:** This is responsible for providing independent assurance that cloud governance is effective. It typically includes an audit that reports to the board's audit committee.

When implementing an  organizational, operational, and technological approach to cloud governance, you should consider the following:

*   **Infrastructure pipelines:** These are automated pipelines that can be used to deploy and manage cloud infrastructure via terraform.
*   **Application pipelines:** These are automated pipelines that can be used to deploy and manage cloud applications with embedded security controls and checkers.
*   **Data pipelines:** These are automated pipelines that can be used to move and manage data in the cloud using tools like data classification, data tokenization/encryption, and data loss prevention tooling.
*   **Change management:** An integrated process for managing changes to cloud resources that enforces good governance around change.
*   **Policy revisions:** This is the process of reviewing and updating cloud governance policies and procedures with stakeholders.
*   **Monitoring:** This is the process of logging and tracking changes to cloud resources, as well as monitoring the environment for security. This includes both application, infrastructure, and security monitoring.
*   **Asset inventories:** This is a process for identifying and tracking cloud resources and what is running at any given time,

**What to Consider With Cloud Adoption**

As you move to adopt the above, it’s important to take an “everything as code” approach, in order to scale the operations and ensure repeatability in deploying, recovering applications, and ensuring controls are working effectively.

Financial services is a highly regulated industry, and cloud adoption brings increased scrutiny from regulatory and compliance partners. To address this, a cloud-native approach should be taken to mitigate risk and alleviate concerns. This requires collaboration among different teams, including frontline, technology, business, security, tech controls, operational risk management, and audit teams. By working together, a secure and compliant framework can be established.

Trusted third parties may also be involved in the implementation process. It is important to consider how their work will be verified and how their expertise can support the project. This may involve testing and verification of audit and compliance solutions.

From an executive perspective, it is crucial to communicate the cloud strategy and its benefits to the business. This includes demonstrating how security and compliance controls are continuously monitored and maintained. The cloud offers opportunities to showcase compliance and risk through data analysis. Gradual improvements should be made to the control environment over time, fostering a culture of quick learning and adaptation.

In summary, financial services moving to the cloud must address security, compliance, and governance considerations. Collaboration among various teams is essential, as is the involvement of trusted third parties. Executives should effectively communicate the cloud strategy and ensure continuous compliance and risk monitoring.  As with all organizational change management, culture is an important aspect to keeping the team motivated and being able to fail fast. This culture has to be demonstrated by leadership and all teams working collaboratively to achieve the mission.

_Read more_ _Partner Perspectives from Google Cloud_

Securely Moving Financial Services to the Cloud

October's CVE update is here. Here's which security vulnerabilities to patch now to exorcise your Microsoft systems demons.

Microsoft flagged two zero-day security vulnerabilities under active attack in October's Patch Tuesday update, which affect Microsoft WordPad and Skype for Business. The release also features a critical-rated, wormable bug in Message Queuing that could instill terror for admins of vulnerable systems.

The two bugs are part of a cadre of 103 total CVEs addressed by the computing giant this month. The patches run the gamut of Microsoft's portfolio, including Azure, ASP.NET, Core, and Visual Studio; Exchange Server; Office, Microsoft Dynamics, and Windows.

Appropriately for October, the number of critical-rated vulnerabilities comes in at an unlucky 13; and notably, a full 20% of the fixes in the update relate to Microsoft Message Queuing (MSMQ).

**October 2023 Bugs Under Active Exploit**

Falling into the hair-raising active exploit camp, the first issue under attack in the wild is CVE-2023-36563, an information-disclosure bug in the WordPad word processing program that could open the door to NTLM relay attacks by exposing NTLM hashes.

"To exploit this vulnerability, an attacker must first gain access to the system," explained Mike Walters, president and co-founder of Action1, in October Patch Tuesday commentary. "Subsequently, they would run a specially crafted application designed to take advantage of the vulnerability and seize control of the affected system."

He added, "Alternatively, the attacker could persuade a local user to open a malicious file. This persuasion might involve enticing the user to click a link, often via email or instant message, and then convincing them to open the specially crafted file."

As far as mitigation goes, "Microsoft doesn't list any Preview Pane vector, so user interaction is required," said Dustin Childs, researcher for Trend Micro's Zero Day Initiative, in a blog. "In addition to applying this patch, you should consider blocking outbound NTLM over SMB on Windows 11. This new feature hasn't received much attention, but it could significantly hamper NTLM-relay exploits."

Meanwhile, CVE-2023-41763 in Skype for Business is ready to haunt admin dreams. It's listed as an elevation-of-privilege issue, but Childs pointed out that it should be treated as an information disclosure problem.

"An attacker could exploit this vulnerability by initiating a specially crafted network call to the targeted Skype for Business server," Walters said. "This action could lead to the parsing of an HTTP request sent to an arbitrary address, potentially revealing IP addresses and port numbers."

He added that some sensitive information may be exposed, including in some cases data that could grant access to internal networks. However, it won't allow the attacker to modify the exposed data or restrict access to the affected resource.

**20 Microsoft Message Queuing Vulnerabilities**

Also putting the shivers into cybersecurity defenders this month are a full 20 different MSMQ vulnerabilities, which together represent an outsized percentage of the total October fixes. One of them, CVE-2023-35349, earns the distinction of being the scariest (i.e., most severe) issue of the month; it carries a CVSS critical score of 9.8 out of 10.

The bug allows unauthenticated remote code execution (RCE) without user interaction, meaning that the issue is wormable on systems where Message Queuing is enabled.

MSMQ is used to allow applications across multiple servers or hosts to communicate with each other and allow for communications to be stored and queued as required. It is not enabled by default, but Microsoft Exchange Server can enable it during installation, according to Rob Reeves, principal security engineer at Immersive Labs.

"It is highly likely that a successful attack will afford the attacker with SYSTEM-level permissions on the target or allow for kernel exploitation," he said in emailed Patch Tuesday commentary. "It would be considered unusual for an enterprise environment to expose the MSMQ service publicly on the Internet ... so it is reasonable to assume that to leverage this vulnerability in an attack, an attacker would have first successfully phished a target network and discovered the vulnerable service during enumeration."

Users should patch immediately, but can also mitigate the problem by blocking communications on TCP Port 1801 from untrusted connections via the firewall, Reeves added.

Childs noted that the other MSMQ bugs are a mix of RCE issues that do require user interaction, and DoS flaws that do not.

"Microsoft doesn't state if successful exploitation would simply stop the service or blue screen the entire system," he noted. "They also don't note if the system would automatically recover once the DoS exploit ends. There have been many Message Queuing bugs fixed this year, so now is a great time to audit your enterprise to determine your exposure."

**Other Microsoft Bugbears to Prioritize This Month**

As far as other security monsters to be on the lookout for, CVE-2023-36434 in Windows IIS Server stands out, according to ZDI's Childs. An attacker who successfully exploits the bug could log on to an affected IIS server as another user.

The elevation-of-privilege vulnerability was labeled "important" by Microsoft, because a threat actor would need to already be present in the network to use it, but it carries a CVSS 9.8 rating.

"These days, brute force attacks can be easily automated," Childs noted. "If you're running IIS, you should treat this as a critical update and patch quickly."

Action1's Walters meanwhile highlighted a group of nine RCE vulnerabilities in the Layer 2 Tunneling Protocol, which all have a CVSS score of 8.1 (CVE-2023-41774, CVE-2023-41773, CVE-2023-41771, CVE-2023-41770, CVE-2023-41769, CVE-2023-41768, CVE-2023-41767, CVE-2023-41765, and CVE-2023-38166).

"They possess a network-based attack vector, have a high level of complexity for successful exploitation, do not require any special privileges, and demand no user interaction," he said. "Their exploitation is notably intricate ... To successfully exploit these vulnerabilities, an attacker must overcome a race condition. An unauthenticated attacker could achieve this by sending a carefully crafted protocol message to a Routing and Remote Access Service (RRAS) server."

An RCE vulnerability in Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server (CVE-2023-36577, CVSS 8.8) caught the eye of Jason Kikta, CISO and senior vice president at Automox.  
"Microsoft WDAC OLE DB Provider for SQL Server is a set of components designed to facilitate efficient data access from Microsoft SQL Server databases to endpoints," he said in a Patch Tuesday advisory. "It's a key element of the WDAC that allows developers to create applications capable of communicating with almost any data source, including SQL Server. This vulnerability may allow an attacker to execute arbitrary code on a targeted system by convincing a user to connect to a malicious database."

He noted, "These attacks can be mitigated by configuring the environment to connect only to trusted servers and enforcing certificate validation."  
And finally, Chris Goettl, vice president of security products at Ivanti, flagged the fact that October Patch Tuesday includes the last updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2.

"The latter go into Extended Security Support (ESU) starting with a November release, and Microsoft also announced the keys used to enable these updates will be managed as part of Azure Arc. They should be released next week," he said in emailed commentary.

"End-of-life software poses a risk to an organization," he warned. "No public updates will be available for these OS versions going forward. For Windows 11 users this means upgrading to a new Windows 11 branch. For Server 2012\\2012 R2 it is highly recommended to subscribe to ESU or migrate to a newer server edition."

This month's release also includes a patch for the just-disclosed HTTP/2 Rapid Reset distributed denial of service (DDoS) bug, as well as one for an external Chromium flaw that affects Microsoft Edge.

Microsoft Patch Tuesday Haunted by Zero-Days, Wormable Bug

Researchers believe that more than 70,000 Android devices may have been affected with preloaded Peachpit malware that was installed on the electronics before being sold at market.

After a researcher discovered that an Android-based TV streaming box, known as T95, was infected with preloaded malware, researchers at Human Security released information regarding the extent of infected devices and how malicious schemes are connected to these corrupted products. 

Daniel Milisic, a systems security consultant, created a script alongside instructions to help other users mitigate the threat after first coming across the issue. Now, Human Security's threat intelligence and research team has dubbed the operation "Badbox," which it characterizes as a complex, interconnected series of ad fraud schemes on a massive scale.

Human Security describes the operation as "a global network of consumer products with firmware backdoors installed and sold through a normal hardware supply chain." Once activated, the malware on the devices connect to a command-and-control (C2) server for further instructions. In tandem, a botnet known as Peachpit is integrated with Badbox, and engages in ad fraud, residential proxy services, fake email/messaging accounts, and unauthorized remote code installation.

According to the researchers at Human Security, 200 different models of Android devices are potentially affected, and at least 74,000 Android devices globally are potentially impacted by the Badbox infection. Eight different types of devices have backdoors installed: seven Android-based TV boxes — T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G — and an Android tablet, J5-W. The devices are made in China and somewhere along their supply chain, a firmware backdoor gets implemented on the devices.

The infected devices are from the Android Open Source Project (AOSP), meaning that anyone can modify the code, according to a Google spokesperson; they are not built on the official Android TV operating system for smart TVs and streaming devices, which is proprietary and open only to Google and its licensed partners for code modification. "The off-brand devices discovered to be BADBOX-infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results." 

Google's spokesperson adds, "Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified."

Human Security recommends that users avoid off-brand devices and be wary of clone apps that could potentially infect their device. In addition, users should consider restoring factory settings if a device is behaving oddly.

"While the disruption of Bandbox is a victory for the cybersecurity community, research must continue into the supply chain that allowed the threat to develop in the first place," Human Security said in its report, and added that other threat actors are poised to fill the vacuum.

Badbox Operation Targets Android Devices in Fraud Schemes

An overlooked library contains a vulnerability that could enable full remote takeover simply by clicking a link.

Researchers have uncovered a vulnerability in a library within the GNOME desktop environment for Linux systems. If embedded in a malicious link, it could enable attackers to perform machine takeover in an instant.

GNOME — short for GNU Object Model Environment — is an open source desktop environment implemented by popular Linux distributions like Ubuntu and Fedora.

According to a new blog from the GitHub Security Lab, within one of GNOME's default applications is a dependency containing a "High" 8.8 out of 10-rated, out-of-bounds array access vulnerability. Because of how the application works, all an attacker would need is one click from a victim in order to execute arbitrary code on a GNOME OS.

It "underscores a critical business risk," says Igor Volovich, VP of compliance strategy at Qmulos. "For businesses, this is a stark reminder that a single vulnerability, even in seemingly benign software components, can be leveraged for wide-scale compromise, especially when these components are interconnected within larger systems or platforms."

**A Bug in a Dependency, App, Environment, or OS**

The new vulnerability — CVE-2023-43641 — isn't with Linux or GNOME, at least directly.

The issue, rather, lies in "libcue," an obscure library with just nine forks on GitHub. libcue is used to parse "cue sheets," a metadata format for describing the layout of tracks on a CD or DVD.

Among other projects, libcue is used by "tracker-miners," a default application in GNOME used for indexing files in the home directory. Of note in this case is that tracker-miners automatically updates when files are added or modified in certain subdirectories, for example the "~/Downloads" folder.

GitHub's researchers took advantage of this fact when designing an exploit for CVE-2023-43641. They wrote a malicious Web page which, when visited, triggers the download of a cue sheet (.cue) file. The file was saved to ~/Downloads, and tracker-miners automatically scanned it using libcue, enabling their code to run (in this case, simply opening a calculator app).

The researchers have successfully tested exploits for the most recent versions of Ubuntu and Fedora. They have also publicly released a harmless, six-line proof-of-concept.

**Implications for Linux Users**

The open source nature of Linux, its applications, libraries, and so on, are both a weakness and a strength where enterprise security is concerned.

"Its open-source nature invites vast community contributions, fostering innovation but also expanding its threat surface," Volovich points out. On one hand, "preparedness lies in the robustness of the Linux community, which is often quick to patch and remediate identified vulnerabilities. However, the sheer scale of Linux deployments and varied custom configurations means that vulnerabilities can persist unnoticed."

That one tiny syntax handling error in one minor component of one easily missed application can be shown to cause such significant consequences means that Linux users cannot be content with simply patching as needed, Volovich thinks. "While patching remains an essential reactive measure in the cybersecurity arsenal, a singular focus on it creates a game of perpetual catch-up. The continuously evolving threat landscape necessitates a shift in mindset."

"Rather than isolating specific vulnerabilities, it's more effective to approach security from a controls perspective. By doing so, organizations can identify and address potential weak spots before they're exploited," he says, pointing to frameworks and standards like NIST and ISO. "When enterprises embed these standards into their operations, they don't merely respond to threats; they anticipate them."

One-Click 'Gnome' Exploit Is a Supply Chain Risk for Linux OSes

Ongoing Rapid Reset DDoS flood attacks exposed organizations need to patch CVE-2023-44487 immediately to head off crippling outages and business disruption.

An Internet-wide security vulnerability is at the root of a zero-day attack dubbed "HTTP/2 Rapid Reset," which resulted in a distributed denial-of-service (DDoS) flood that was orders of magnitude larger than any previous attack ever recorded. It marks a new chapter in the evolution of DDoS threats, researchers noted.

Amazon Web Services, Cloudflare, and Google Cloud each independently observed the attack in question, which featured multiple waves of traffic that lasted for just minutes each. They targeted cloud and Internet infrastructure providers, and the attack took place over Aug. 28–29. Unknown perpetrators are behind the event, but it's clear that they exploited a bug in the HTTP/2 protocol, which is used in about 60% of all Web applications.

AWS, Cloudflare, and Google worked with other cloud, DDoS security, and infrastructure vendors in a coordinated effort to minimize any real-world impact of the Rapid Reset attacks, mainly with load balancing and other edge strategies. But that doesn't mean the Internet is protected; plenty of organizations are still susceptible to the attack vector and will need to proactively patch their HTTP/2 instances to be immune to the threat.

The pioneering attack vector represents an important evolution of the DDoS landscape, according to Alex Forster, Cloudflare's technical lead over DDoS engineering.

"The threat of DDoS attacks is evolving quickly, and are far from a low-level annoyance that they used to be thought of as," he says. "This attack – the largest in the history of the Internet – shows just how critical it is to increasingly pay mind to and consider DDoS as a key way for threat actors to disrupt businesses and wreak havoc."  

**How the Rapid Reset DDoS Attacks Work**

The susceptibility to the attack within HTTP/2 is tracked as CVE-2023-44487, and it carries a high-severity CVSS score of 7.5 out of 10.

According to Cloudflare, HTTP/2 is "a fundamental piece to how the Internet and most websites operate. HTTP/2 is responsible for how browsers interact with a website, allowing them to 'request' to view things like images and text quickly, and all at once no matter how complex the website."

The attack technique involves making hundreds of thousands of HTTP/2 requests at once, then immediately canceling them, according to the company's analysis.

"By automating this 'request, cancel, request, cancel' pattern at scale, threat actors overwhelm websites and are able to knock anything that uses HTTP/2 offline," according to Cloudflare's advisory on the Rapid Reset attacks, posted on Oct. 10.

During the peak of the August campaign, Cloudflare saw more than 201 million requests per second (rps), it said in a media statement provided to Dark Reading, "with some organizations witnessing even larger numbers due to the timing of their mitigations." That's triple the size of the previous record holder, a DDoS attack last year that peaked at 71 million rps.

Google, meanwhile, observed a peak of 398 million rps, seven and a half times larger than any previous attack against its resources; AWS detected a peak of more than 155 million rps targeted at the Amazon CloudFront service.

"For a sense of scale, this \[peak\] two-minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September," Google researchers pointed out in a post on Oct. 10.

"We can't predict the future of DDoS attacks, but this recent series of attacks moves the trend in observed attacks closer to the anticipated exponential growth of doubling every 18 months or so," a Google spokesperson tells Dark Reading. "Defending services from attacks like these requires consistent capacity planning, as well as the ability to monitor for attacks and respond quickly."

The power of the method is such that the August tsunami was launched using a modestly sized botnet — fewer than 20,000 nodes. This makes Rapid Reset not only a powerful weapon but a highly efficient one as well.

"Cloudflare regularly detects botnets that are orders of magnitude larger than this — comprising hundreds of thousands and even millions of machines," according to the company's analysis. "For a relatively small botnet to output such a large volume of requests, with the potential to incapacitate nearly any server or application supporting HTTP/2, underscores how menacing this vulnerability is for unprotected networks."  

**Rapid Reset Mitigation**

While the Rapid Reset attacks haven't had the critical impact that the cyberattackers behind them may have hoped, the fact that threat actors were able to pioneer the technique in the first place should put companies on notice, especially given that DDoS attacks continue to be an important tool in cyberattackers' arsenals.

"Cybersecurity is a race," Forster explains. "While attackers carry out increasingly sophisticated and more impactful attacks, defenders develop cutting-edge methods and technology to combat them...After today, threat actors will be largely aware of the HTTP/2 vulnerability. It will inevitably become trivial to exploit and kick off the race between defenders and attacks — first to patch vs. first to exploit. Organizations of all sizes should assume that systems will be tested, and take proactive measures to ensure protection."

And indeed, attackers are launching DDoS attempts on an ongoing basis using the bug, despite extensive mitigations being put into place by cloud providers and DDoS security vendors in the wake of the initial zero-day offensive in August.

"Over those two days, AWS observed and mitigated over a dozen HTTP/2 rapid reset events, and through the month of September, continued to see this new type of HTTP/2 request flood," the cloud giant said in a post today.  

According to Google researchers, "any enterprise or individual that is serving an HTTP-based workload to the Internet may be at risk from this attack. Web applications, services, and APIs on a server or proxy able to communicate using the HTTP/2 protocol could be vulnerable."

They added, "Organizations that are managing or operating their own HTTP/2-capable server (open source or commercial) should apply vendor patches for CVE-2023-44487 when available."

While the HTTP/2 Rapid Reset vulnerability may have been record-breaking in size, the broader takeaways are not novel, Forster adds: "Turn incident management, patching, and evolving your security protections into ongoing processes. Patches for each variant of a vulnerability reduce risk, but they never fully eliminate it."

Forster provided Dark Reading a list of actionable recommendations for shoring up defenses against Rapid Reset and other DDoS threats:

*   Understand your external and partner network’s external connectivity to remediate any Internet facing systems with the mitigations provided by vendors;
*   Understand your existing security protection and capabilities you have to protect, detect, and respond to an attack, and immediately remediate any issues you have in your network;
*   Ensure your DDoS protection resides outside of your data center, because if the traffic gets to your data center, it will be difficult to mitigate a DDoS attack;
*   Ensure you have DDoS protection for applications (Layer 7), and ensure you have Web Application Firewalls. Additionally as a best practice, ensure you have complete DDoS protection for DNS, network traffic (Layer 3), and API firewalls;
*   Ensure Web server and operating system patches are deployed across all Internet-facing Web servers. Also, ensure all automation like Terraform builds and images are fully patched, so older versions of Web servers are not deployed into production over the secure images by accident;
*   As a last resort, consider turning off HTTP/2 and HTTP/3 (potentially also vulnerable) to mitigate the threat. This is a last resort only, because there will be a significant performance issues if you downgrade to HTTP/1.1;
*   And, consider a secondary, cloud-based DDoS Layer 7 provider at perimeter for resilience.

Internet-Wide Zero-Day Bug Fuels Largest-Ever DDoS Event

DDoS for hire and live attacks hit both sides as cyber campaigns continue.

Hacktivists are trading cyberattacks on both sides of the Israel-Hamas conflict.

According to detections by ReliaQuest, several pro-Russian hacktivist groups have identified Israeli targets, and Anonymous Sudan's official Telegram channel is discussing how to undermine Israel's Iron Dome defense, a mobile air defense system that intercepts and destroys short-range rockets and artillery shells.

Anonymous Sudan also named the Israeli government in online discussions as a main target and said it had obtained unspecified "zero-day vulnerabilities from Romania" to use in anti-Israel attacks.

The AnonGhost hacktivist group said it had managed to breach the "Red Alert" app to send messages like "The Nuclear Bomb is coming" and "Death to Israel."

Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, says the discussion on Telegram channels should be taken seriously even though their users' intentions and activities are often not verified, or reflect the true nature of a group.

**DDoS for Hire**

The Krypton network has also offered to sell its distributed denial-of-service (DDoS) capabilities to hacktivists wishing to target Israeli organizations. Morgan says Krypton is a known DDoS-for-hire botnet that allegedly includes several features to bypass DDoS mitigation services.

"It is realistically possible that the group saw an opportunity amidst the rush to target Israel, viewing it as a chance to make additional sales," Morgan says.

However, the attacks are not all one way, as ThreatSec reportedly compromised the Palestinian Internet services provider AlfaNet, with "literally every server owned by Alfanet" shut down. The group claimed its original goal was just to get a hold of some infrastructure, but it gained full control of more than 5,000 servers in the Gaza region. Statistics show a decline in Internet connectivity in Gaza over the past few days.

Since the attacks by Hamas began, cybercrime groups have shifted their activities toward the Middle East. More than a dozen threat groups declared their intention to launch disruptive attacks against Israel, Palestine, and their supporters. The Jerusalem Post was taken down by a cyberattack this week.

Morgan says Israel is regularly targeted by cyber threats — such as when the Russia-aligned Ragnar Locker group hit the Mayanei Hayeshua Medical Center in Bnei Brak this summer — often by Iranian APTs. Additionally, hacktivist groups frequently target Israel in response to the ongoing conflict with Hamas.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading